SRX

Hey everyone !

 

I currently have a srx100 Juniper.

 

My wish would be to define multiple access vlan on a physical port of the Juniper.

 

To validate my configuration I realise a ping from my PC 192.168.100.11 to the 192.168.100.1 logical interfaces but no answer from the ping...

 

(It's more easier to understand with a schema )

 

 

 

 

 

 

Does anyone have a configuration idea to bring me?

 

Thank you !

 

Hi,

 

Do you have the interfaces a zone? and if they are in separate zones is there security policy defined?

 

Refer to https://www.juniper.net/documentation/en_US/junos12.1x46/topics/example/security-srx-device-zone-and-policy-configuring.html for an example of zones/policies.

 

if you need more help paste the rest of the configuration.

 

Tim

 

 

Welcome to J-NET forums. Nice topology diagram on your first post itself.


Make sure you have added the vlan interfaces to security zones and allowed necessary host-inbound traffic. Security policies if you are sending traffic through the device .

Below KB's can be useful for first time users.
Configure Ethernet ports for switching
https://kb.juniper.net/KB16667

SRX getting started Configuration Examples & Troubleshooting (JumpStation)

https://kb.juniper.net/KB15694

Thanks for your quick replies.

 

Yes, I have added the phisical and the logicials interfaces in a zone of security and I authorized all the traffic inboud / outbound.

 

When I disable the tagging-vlan and I put only 1 logical port in access mode vlan 100, ping works.

 

But when I want to put multiple logical interfaces on a single physical port (this current configuration) Ping does not work.

When you enable vlan-tagging, SRX(any device) expects the packets with VLAN-TAG, but when you plugin the PC directly, they dont send packets with VLAN-TAGs and they get discarded by SRX. When you put port as access-mode, SRX dont expect VLAN-Tags and it works.

 

If you need VLAN tagging, you need to have a switch between SRX and PC ,who can do necessary tagging

Ok, so you suggest if i do this configuration, my pc can be able to ping the interface 192.168.100.1 ?

 

 

Thank you. 

Yes, you can also just do it with eg. fe-0/0/3 as an access port in vlan 100 - but will work via an external switch as well.

Yes, this looks better.

Thank you very much to all who helped me deal with this issue.

 

I made the same configuration and the same connection as on the diagram and I can now ping the 100 VLAN interface of my firewall.

 

Thank you very much !

Hi,

 

from what I see you are expecting the fe-0/0/3 port to be able to reach 192.168.100.1 as directly connected. In this case you are mixing switched ports with layer3-termination on physical interfaces.

 

To get it working i would suggest something like this config (can be with errors as it has been written in hand without cli validation):

delete interface fe-0/0/3
delete interface fe-0/0/4
set interface fe-0/0/3.0 family ethernet-switching vlan members vlan100
set interface fe-0/0/4.0 family ethernet-switching port-mode trunk
set interface fe-0/0/4.0 family ethernet-switching vlan members vlan100
set interface fe-0/0/4.0 family ethernet-switching vlan members vlan10
set vlans vlan100 l3-interface vlan.100
set vlans vlan10 l3-interface vlan.10
set interface vlan.10 family inet address 172.16.10.1/24
set interface vlan.100 family inet address 192.168.100.1/24

Changes done:

• delete all previous config from fe-0/0/3 and fe-0/0/4
• changes fe-0/0/4 to a switching trunk port with vlan10 and vlan100. 
• changes fe-0/0/3 to a switching access port in vlan 100
• created two layer3 vlan-interfaces and attached them to a vlan

Also remember to change security zones to match vlan.XX interfaces instead of logical interfaces on fe-0/0/4.

 

Let us know how you progress and if other issues arises 🙂